hectorj2f
commented
1 year ago @ethanchowell I'd suggest you use cosign copy command https://github.com/sigstore/cosign/blob/main/doc/cosign_copy.md.
Open ethanchowell opened 1 year ago
hectorj2f
commented
1 year ago @ethanchowell I'd suggest you use cosign copy command https://github.com/sigstore/cosign/blob/main/doc/cosign_copy.md.
ethanchowell
commented
1 year ago @hectorj2f I've updated my original post to better reflect that I'm using cosign copy. It's the copy command that is failing for me trying to transfer the SBOM, but working when I do the steps manually with download and attach. The specific SBOM format it's trying to copy is SPDX-2.2 generated from syft.
hectorj2f
commented
1 year ago @ethanchowell I am not sure what it could be the problem. Have you try with other blobs such as attestations ?
ethanchowell
commented
1 year ago Yeah the other blobs will copy over without issue. The attestation shows up in ECR, in this case a trivy vuln report, and the signature as well.The image itself doesn't copy, but I assumed that was because the SBOM was failing. Taking a look at the debug logs, it looks like the mediaType is being set differently based on the command (spdx+json vs text/spdx).
$ cosign copy $SRC_IMAGE $DEST_IMAGE -d
...
2023/08/01 21:49:58 --> PUT https://....sbom
2023/08/01 21:49:58 PUT /....sbom HTTP/1.1
Host: ...
User-Agent: cosign/v2.1.1 (linux; amd64) go-containerregistry/v0.15.2
Content-Length: 370
Authorization: <redacted>
Content-Type: application/vnd.oci.image.manifest.v1+json
Accept-Encoding: gzip
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":243,"digest":"sha256:253d8e91809e7f2b6888838f2347507a85eead32bc423dc7d7d05db2e6b9cfec"},"layers":[{"mediaType":"spdx+json","size":119840,"digest":"sha256:563edcfb2d0f77bc4a86a3a4eed782af52acd4b30b52968e198264603d4c4cb6"}]}
$ cosign attach sbom --sbom src_image.sbom
...
2023/08/01 21:51:25 --> PUT https://...sbom
2023/08/01 21:51:25 PUT /...sbom HTTP/1.1
Host: ...
User-Agent: cosign/v2.1.1 (linux; amd64) go-containerregistry/v0.15.2
Content-Length: 370
Authorization: <redacted>
Content-Type: application/vnd.oci.image.manifest.v1+json
Accept-Encoding: gzip
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":248,"digest":"sha256:a0bbf7878dbec310eea308823165e373a76db143f1bb53a3ec467063291e37a0"},"layers":[{"mediaType":"text/spdx","size":119840,"digest":"sha256:563edcfb2d0f77bc4a86a3a4eed782af52acd4b30b52968e198264603d4c4cb6"}]}Even when I add --input-format=json to see if I can nudge attach to use the same mediaType, it becomes text/spdx+json which is also able to push the content to ECR.
ethanchowell
commented
1 year ago @hectorj2f I think I've been able to run this to ground. The third-party registry we copy images from appears to still be using a v1.x version of cosign, and the sbom mediaType for those versions was spdx+json https://github.com/sigstore/cosign/pull/2479. That explains the mismatch between the mediaTypes when I copy vs attach since I'm using v2.1.1.
Would it be feasible for cosign to convert this mediaType during the copy process if the older format is detected?
viveksahu26
commented
6 months ago Close this issue. As cosign attach sbom feature will be depreciated on 22/02/2024. So,adding further feature will makes no sense. Instead use cosign attest command as an alternative to it.
Description
I'm trying to copy images from a third-party registry to our private ECR, but keep getting hung up on errors like the following
However, if I download the sbom with
I can push it to ECR without any issues
I would expect the results of these to be the same. The image does not exist in my private registry before running
copy, and I did have to manually push it before I could runattach. I also verified that the issue persisted withcopyafter pushing the image manually.Version